Have You Patched Those 35 Java Vulns on IBM i?
July 19, 2017 Alex Woodie
IBM i shops that take security seriously will want to know that IBM has issued a number of security patches over the past several months. The patch count since March includes fixes for security vulnerabilities in various technologies supported in IBM i 6.1 through 7.3, including 35 alone in Java, as well as flaws in Python, Samba, BIND, and the integrated Web server.
Implementing security patches, or program temporary fixes (PTFs) in IBM jargon, is one of the easiest ways to ensure your system is kept up-to-date against vulnerabilities that are constantly being exposed by the hacker community. It’s also one of the main benefits you get from buying technical support from IBM and staying current on supported platforms. Unfortunately, many IBM i shops have failed to keep up with new operating systems, and in the process have exposed their servers, applications, databases, and users to security threats lurking on the Internet and elsewhere. (We’re looking at you, i5/OS V5R4).
Here are some of the recent security patches that IBM has issued for supported releases of the IBM i OS, which includes IBM i 7.1 through 7.3, as well as some unsupported releases. (IBM doesn’t run a charity, but it is obviously concerned enough about its clients to fix serious security problems in older releases – just not V5R4.)
JDK Vulnerabilities: IBM issued several patches for vulnerabilities in the Java software development kit (SDK) for IBM i, which Big Blue officially calls the IBM SDK Java Technology Edition.
On June 19, IBM issued a security alert covering 13 security vulnerabilities in the SDK used by IBM i 6.1, 7.1, 7.2, and 7.3. The patches cover an assortment of issues with the Java Standard Edition (SE) software from Oracle, including three of which could enable an attacker to take full control of the affected systems, and which have CVSS base scores of 7.7. or higher. Several other patches fix problems that could allow attackers to launch a denial of service (DOS) attack against affected servers, or to expose highly sensitive information. IBM fixed the issues with PTF numbers SF99562 level 39 for IBM i 6.1, SF99572 level 28 for 7.1, SF99716 level 13 for 7.2, and SF99725 level 5 for 7.3.
On April 28, IBM issued this security alert regarding fixes for 22 security flaws in various Oracle Java SE components used in IBM i 6.1, 7.1, 7.2, and 7.3. Some of the flaws are quite serious. There are five with CVSS base scores of 9.6, reflecting the potential for attackers to impact the confidentiality, integrity, and availability of data and systems. Four of the vulnerabilities have CVSS scores between 7.5 and 9.0, reflecting serious threats, while five more have CVSS scores between 5.5 and 6.8, indicating a potentially big impact. IBM fixed the problems with four PTFs, including SF99562 level 38 for IBM i 6.1, SF99572 level 27 for 7.1, SF99716 level 12 for 7.2, and SF99725 level 4 for 7.3.
HTTP Server Vulnerabilities: IBM issued two alerts for separate issues with the HTTP Server.
On May 5 IBM issued a security alert regarding an issue with the Apache Web Server included in IBM i 7.1, 7.2, and 7.3. “The IBM HTTP Server on the IBM i OS now strictly checks the HTTP request headers” by following best practices, IBM states. “If there are any extra or invalid whitespaces, horizon tabs, empty field value, etc. that exist in the request line or header field, a ‘HTTP 400 – Bad Request’ response will be returned.” Previously users may have gotten a “HTTP 200 OK” response with those same HTTP request headers, IBM says. The fixes are in PTF numbers SF99722 level 7 for IBM i 7.1, SF99713 level 20 for 7.2, and SF99368 level 46 for 7.3.
On March 21 IBM issued this security alert for three separate security vulnerabilities in the Apache Web Server. One of the flaws makes the IBM i server vulnerable to a POODLE attack (CVSS base score 5.4), another makes it vulnerable to a DOS attack (CVSS base score 5.3), while the third could allow an attacker to perform an array of attacks, including Web cache poisoning or cross-site scripting, or possibly obtain sensitive information (CVSS base score 6.1). IBM fixed the problems with PTF numbers SI63670 for IBM i 7.1, SI64140 for 7.2, and SI63997 for 7.3.
Samba Vulnerabilities: IBM issued two security alerts for Samba, which is a piece of open source freeware designed to enable file sharing over SMB/CIFS protocols.
On June 13 IBM issued a security alert for a vulnerability in Samba that could allow a remote authenticated attacker to execute arbitrary code on servers running IBM i 7.2 and 7.3. This problem in Samba could enable a malicious Samba client to upload a shared library to a writable share, and then cause the server to load and execute it. The vulnerability was given a relatively high CVSS (Common Vulnerability Scoring System) base score of 7.5. IBM fixed the problem with PTF numbers SI65094 for IBM i 7.2 and SI65096 for IBM i 7.3.
On May 16, IBM issued a security alert for a vulnerability in Samba that could allow a remote authenticated attacker to launch a “symlink attack” against an IBM i server running 7.2 or 7.3 of the OS. A local attacker could also exploit this vulnerability to view files. It has a CVSS base score of 4.3, indicating it’s a medium-low threat. IBM fixed the problem with PTF numbers SI64750 for IBM i 7.2 and SI64751 for 7.3.
BIND Vulnerabilities: On May 9 IBM issued this security alert to inform users of a fix for various vulnerabilities with the BIND domain name service in IBM i 6.1, 7.1, 7.2, and 7.3. All of the security flaws could lead an attacker to execute a DOS attack on impacted servers. IBM fixed the problems with PTF number SI64617 for IBM i 6.1, SI64615 for 7.1, SI64630 for 7.2 and SI64614 for 7.3.
Python Vulnerabilities: On March 23 IBM issued a security alert regarding two issues with Python libraries distributed with 5733OPS, the open source option from IBM. The problems could enable an attacker to conduct various attacks against vulnerable systems. In one case, an attacker injecting arbitrary HTTP headers into requests could execute cross-site scripting, cache poisoning, and session hijacking attacks (CVSS base score 6.5, while in the other, the attacker could overflow a buffer to execute arbitrary code on the server or cause the app to crash (CVSS base score 7.3). The fixes are in PTF number SI63850 for 5733OPS Option 2: and SI63849 for 5733OPS Option 4.
Time to get those patches on (if you haven’t done so already)!